Flaw in latest Java version allows bypass of Java security sandbox.

Share this story

A flaw identified in the latest version of Java allows for a complete bypass of the Java security sandbox, a security firm reported today. Meanwhile, a security hole recently fixed by Oracle is being targeted by attackers, underscoring the importance of installing patches quickly.

The security firm Security Explorations said today that it sent a "Vulnerability Notice along with a Proof of Concept code" to Oracle, and that Oracle has confirmed receiving the notice. "The company informs that it will investigate based on the data provided and get back to us soon," Security Explorations said.

Security Explorations CEO Adam Gowdiak told Softpedia that it tested the flaw in the original release of Java 7, as well as in Java 7 Updates 11 and 15. Java 7 Update 15 is the latest version released last week. "When combined, the flaws can be leveraged to achieve a complete bypass of the Java security sandbox," Softpedia wrote.

Few details of the flaw were shared, presumably to prevent it from being exploited by hackers. Gowdiak told Softpedia that the flaw allows abuse of the Java Reflection API "in a particularly interesting way… Without going into further details, everything indicates that the ball is in Oracle's court. Again.”

Java updates have been coming frequently lately to patch all the various security holes that have been identified by security firms and/or targeted in attacks. An attack targeting Java 7 Update 11 is now "in the wild," according to an update today from security firm Rapid7. The hole allows bypass of the security sandbox and was fixed by Oracle in Update 13 on Feb. 1. However, exploit kits used by attackers now reportedly target this flaw. The good news is that user interaction is required to run the exploit—no infections will occur unless the user clicks "Run" when asked "Do you want to run the application?"

We've advised before that users who don't need Java should consider uninstalling it, or at least the Java plug-ins used to run Java content in Web browsers. Even savvy computer users aren't necessarily safe. An iPhone developer forum was found last week to be hosting malware targeting Java-enabled computers—resulting in attacks targeting employees of Facebook, Twitter, and Apple.